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All participants (applicant, applicant's representative, PTO personnel): 
(1 ) Matthew T. Henning . (3) 



(2) James Larson . (4) . 

Date of Interview: 04 April 2005 . 

Type: a)(3 Telephonic b)D Video Conference 

c)D Personal [copy given to: !)□ applicant 2)D applicant's representative] 

Exhibit shown or demonstration conducted: d)D Yes e)E3 No. 
If Yes, brief description: . 

Claim(s) discussed: . 

Identification of prior art discussed: . 

Agreement with respect to the claims f)D was reached. g)D was not reached. h)El N/A. 



Substance of Interview including description of the general nature of what was agreed to if an agreement was 
reached, or any other comments: See Continuation Sheet . 

(A fuller description, if necessary, and a copy of the amendments which the examiner agreed would render the claims 
allowable, if available, must be attached. Also, where no copy of the amendments that would render the claims 
allowable is available, a summary thereof must be attached.) 

THE FORMAL WRITTEN REPLY TO THE LAST OFFICE ACTION MUST INCLUDE THE SUBSTANCE OF THE 
INTERVIEW. (See MPEP Section 71 3.04). If a reply to the last Office action has already been filed, APPLICANT IS 
GIVEN ONE MONTH FROM THIS INTERVIEW DATE, OR THE MAILING DATE OF THIS INTERVIEW SUMMARY 
FORM, WHICHEVER IS LATER, TO FILE A STATEMENT OF THE SUBSTANCE OF THE INTERVIEW. See 
Summary of Record of Interview requirements on reverse side or on attached sheet. 
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Summary of Record of Interview Requirements 



Manual of Patent Examining Procedure (MPEP), Section 713.04, Substance of Interview Must be Made of Record 

A complete written statement as to the substance of any face-to-face, video conference, or telephone interview with regard to an application must be made of record in the 
application whether or not an agreement with the examiner was reached at the interview. 

Title 37 Code of Federal Regulations (CFR) § 1.133 Interviews 
Paragraph (b) 

In every instance where reconsideration is requested in view of an interview with an examiner, a complete written statement of the reasons presented at the interview as 
warranting favorable action must be filed by the applicant. An interview does not remove the necessity for reply to Office action as specified in §§ 1 .1 1 1 , 1 .135. (35 U.S. C. 132) 

37 CFR §1.2 Business to be transacted in writing. 
All business with the Patent or Trademark Office should be transacted in writing. The personal attendance of applicants or their attorneys or agents at the Patent and 
Trademark Office is unnecessary. The action of the Patent and Trademark Office will be based exclusively on the written record in the Office. No attention will be paid to 
any alleged oral promise, stipulation, or understanding in relation to which there is disagreement or doubt. 



The action of the Patent and Trademark Office cannot be based exclusively on the written record in the Office if that record is itself 
incomplete through the failure to record the substance of interviews. 

It is the responsibility of the applicant or the attorney or agent to make the substance of an interview of record in the application file, unless 
the examiner indicates he or she will do so. It is the examiner's responsibility to see that such a record is made and to correct material inaccuracies 
which bear directly on the question of patentability. 

Examiners must complete an Interview Summary Form for each interview held where a matter of substance has been discussed during the 
interview by checking the appropriate boxes and filling in the blanks. Discussions regarding only procedural matters, directed solely to restriction 
requirements for which interview recordation is otherwise provided for in Section 812.01 of the Manual of Patent Examining Procedure, or pointing 
out typographical errors or unreadable script in Office actions or the like, are excluded from the interview recordation procedures below. Where the 
substance of an interview is completely recorded in an Examiners Amendment, no separate Interview Summary Record is required. 

The Interview Summary Form shall be given an appropriate Paper No., placed in the right hand portion of the file, and listed on the 
"Contents" section of the file wrapper. In a personal interview, a duplicate of the Form is given to the applicant (or attorney or agent) at the 
conclusion of the interview. In the case of a telephone or video-conference interview, the copy is mailed to the applicant's correspondence address 
either with or prior to the next official communication. If additional correspondence from the examiner is not likely before an allowance or if other 
circumstances dictate, the Form should be mailed promptly after the interview rather than with the next official communication. 

The Form provides for recordation of the following information: 

- Application Number (Series Code and Serial Number) 

- Name of applicant 

- Name of examiner 

- Date of interview 

- Type of interview (telephonic, video-conference, or personal) 

- Name of participant(s) (applicant, attorney or agent, examiner, other PTO personnel, etc.) 

- An indication whether or not an exhibit was shown or a demonstration conducted 

- An identification of the specific prior art discussed 

- An indication whether an agreement was reached and if so, a description of the general nature of the agreement (may be by 
attachment of a copy of amendments or claims agreed as being allowable). Note: Agreement as to allowability is tentative and does 
not restrict further action by the examiner to the contrary. 

- The signature of the examiner who conducted the interview (if Form is not an attachment to a signed Office action) 

It is desirable that the examiner orally remind the applicant of his or her obligation to record the substance of the interview of each case. It 
should be noted, however, that the Interview Summary Form will not normally be considered a complete and proper recordation of the interview 
unless it includes, or is supplemented by the applicant or the examiner to include, all of the applicable items required below concerning the 
substance of the interview. 

A complete and proper recordation of the substance of any interview should include at least the following applicable items: 

1) A brief description of the nature of any exhibit shown or any demonstration conducted, 

2) an identification of the claims discussed, 

3) an identification of the specific prior art discussed, 

4) an identification of the principal proposed amendments of a substantive nature discussed, unless these are already described on the 
Interview Summary Form completed by the Examiner, 

5) a brief identification of the general thrust of the principal arguments presented to the examiner, 

(The identification of arguments need not be lengthy or elaborate. A verbatim or highly detailed description of the arguments is not 
required. The identification of the arguments is sufficient if the general nature or thrust of the principal arguments made to the 
examiner can be understood in the context of the application file. Of course, the applicant may desire to emphasize and fully 
describe those arguments which he or she feels were or might be persuasive to the examiner.) 

6) a general indication of any other pertinent matters discussed, and 

7) if appropriate, the general results or outcome of the interview unless already described in the Interview Summary Form completed by 
the examiner. 

Examiners are expected to carefully review the applicant's record of the substance of an interview. If the record is not complete and 
accurate, the examiner will give the applicant an extendable one month time period to correct the record. 

Examiner to Check for Accuracy 

If the claims are allowable for other reasons of record, the examiner should send a letter setting forth the examiner's version of the 
statement attributed to him or her. If the record is complete and accurate, the examiner should place the indication, "Interview Record OK' on the 
paper recording the substance of the interview along with the date and the examiner's initials. 
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Continuation Sheet (PTOL-413) 



Application No. 09/889,918 



Continuation of Substance of Interview including description of the general nature of what was agreed to if an 
agreement was reached, or any other comments: Mr. Larson called the examiner to indicate that the changes had 
been made but the applicants needed more time to look over the claims. The examiner said that 1 week (until April 
1 1th 2005) would be given. Mr. Larson stated that he would call if this was insufficient amount of time after discussing 
it with the applicants. The examiner received a voicemail message from Mr. Larson indicating that this amount of time 
was not sufficient and requested that the examiner take action on the application. 
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Examiner-Initiated Interview Summary 


Amplication No 
09/889,918 


GUILLOU ET AL 


L. ACH 1 II 1 ICI 

Matthew T. Henning 


Art Unit 

2131 





All Participants: Status of Application: Pending 



(1) Matthew T. Henning . (3) . 

(2) James Larson . (4) . 

Date of Interview: 28 March 2005 Time: 10:00 AM EST 

Type of Interview: 

Telephonic 

□ Video Conference 

□ Personal (Copy given to: □ Applicant □ Applicant's representative) 

Exhibit Shown or Demonstrated: M Yes □ No 

If Yes, provide a brief description: Claims marked to indicate the areas where the examiner found 112 errors.. 

Part I. 

Rejection(s) discussed: 

Claims discussed: 
1-18 

Prior art documents discussed: 
Part II. 

SUBSTANCE OF INTERVIEW DESCRIBING THE GENERAL NATURE OF WHAT WAS DISCUSSED: 

See Continuation Sheet 

Part III. 

□ It is not necessary for applicant to provide a separate record of the substance of the interview, since the interview 
directly resulted in the allowance of the application. The examiner will provide a written summary of the substance 
of the interview in the Notice of Allowability. 

It is not necessary for applicant to provide a separate record of the substance of the interview, since the interview 
did not result in resolution of all issues. A brief summary by the examiner appears in Part II above. 



(Examiner/SPE Signature) (Applicant/Applicant's Representative Signature - if appropriate) 
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Continuation Sheet (PTOL-413B) Application No. 09/889,918 



Continuation of Substance of Interview including description of the general nature of what was discussed: Examiner 
indicated that the independent claims contain allowable subject matter but are not in condition for allowance due to 
numerous 112 errors in all the claims as well as the lack of statutory subject matter in claims 1-3. The claims were 
discussed in order to show Mr. Larson each type of issue with the claims (i.e. lack of antecedent basis, lack of 
preamble, lack of gerund phrase in method step claims, etc.) and Mr. Larson indicated that he understood the 
problems and would call the examiner if he had any questions. Also, the examiner pointed out that the specification 
needs section headings and that there should be drawings and descriptions of the drawings in the specification. The 
examiner suggested that the applicant make the corrections and send them in in order to further procecution. The 
examiner and Mr. Larson agreed that 1 week (until April 4 th 2005) would be given to make the corrections and if that 
was not enough time Mr. Larson would call and request more time. A Copy of the fax sent to Mr. Larson of the claims 
with markings to indicate where corrections needed to be made is attached hereto. 
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Date: 24 Mar 2005 


To: James Larson 


From: Matthew T Henning 


Application/Control Number: 09/889,918 


Ait Unit 21 31 


Fax No.: (612)332-9081 


Phone No.: (571)272-3790 


Voice No.: (612) 332-5300 


Return Fax No.: (571)273-3790 


Re: 


CC: 



Q Urgent O For Review Q For Comment O For Reply O Per Your Request 



Comments: 

ATTN: James Larson Marked up copy of the claims indicating where changes need to be made. For interview 
scheduled for Monday March 28 , 2005. Your call will be expected at 10:00am EST. 



Number off pages 47 including this page 



STATEMENT OF CONFIDENTIALITY 

This facsimile transmission is an Official U.S. Government document which may contain information which is privileged and 
confidential. It is intended only for use of the recipient named above. If you are not the intended recipient, any dissemination, 
distribution or copying of this document is strictly prohibited. If this document is received in error, you are requested to 
immediately notify the sender at the above indicated telephone number and return the entire document in an envelope 
addressed to: 

Commissioner for Patents 
P.O. Box 1450 

AlpvanHria VA??3ia.1dSn 
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CLAIMS 

(Method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q„ Q,, ... Q„ and public values G„ G„ 
... G m m being greater than or equal to 1 1 , or of the parameters derived from these 
values, ^7reOLry\to\^ 

- a public modulus n constituted by the product of f prime factors p„ p 2 , ... 
Pr, f being greater than or equal to 2; 

said modulus, s aid exponen t and said values being related by relations of the 
following type 

Gi . Qi r e 1 . mod n or d s Q s v mod n; 
v designating a public exponent such that 



is v = 2 k 



where k is a security parameter greater than 1 ; 

said public value G, being the square g, 2 of a base number g, smaller than the f 
prime factors p„ p 2 , ... Pf ; the base number g, being such that the following two 
conditions are met: 
20 neither of the two equations: 

i 3 eg, mod n and x^-gitnodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v eg, 1 modn 

25 can be resolved in x in the ring of the integers modulo n; 

said method imple ments, in ihe following steps, ^entity called a witness having f 
prime factors p, and/or parameters of the Chinese remainders of the prime factors 
and/or the public modulus n and/or the m private values Q, and/or the f.m 
components Q, , (Q u a Q, rao d Pi ) of the private values Q.ancToHhe public 

30 exponent v; 
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- the witness computes commitments R in the ring of the integers modulo n; 
each commitment being computed: 

• either by performing operations of the type: 

R s r v mod n 
where r is a random value such that 0 < r< n, 
•or 

• • by performing operations of the type; 

where r^is a random value associated with the prime number p, such that O < r,< Pi , 
each rj belonging to a collection of random values (n ♦ r a , ... r<}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising 
m integers d ( hereinafter called elementary challenges^ witness, on the basis of 
each challenge d, computes a response D f IW Ur\c 

*5 • either by performing operations of the type: 

D ■ r . Q t 41 . Q2 * ... Q m dro mod n 



JO 



» or 



• • by performing operations of the type: 

Di - * • Qui dl - Qu c . - Qk** a mod Pi 
20 and then by applying the Chinese remainder method; 

said method being such that there are a s many responses D as there are challenges d 
as there are commitments R* each group of numbers R,d,D forming a triplet 
referenced {R, d, D}, 

according to claim 1, designed to prove the authenticity of an 
25 entity known as a demonstrator to an entity known as the controller, said 
demonstrator entity comprising the witness; ^ 
said demonstrator and controller entities executing the following steps: 
• Step 1: act of commitment R 

at each call, the witness computes each commitment R by applying the 
30 process specified in claim 1, " 
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the demonstrator sends the controller all or part of each commitment R, 

* Step 2: act of challenge d 

- the controller, after having received all or part of each commitment R, 
produces challenges d whose number is equal to the number of commitments R and 
sends the challenges d to the demonstrator, 

•Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified in claim 1, 

• Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

[case where the demonstrator has transmitted a part of each commitment R 
if the demonstrator has transmitted a part of each commitment R, the controller, 
having the m public values Qy, G2, G m , computes a reconstructed commitment 
R 1 , from each challenge d and each response D, this reconstructed commitment R 1 
15 satisfying a relationship of the type 

R' s Gi <H . G2 <J2 . G ra dm . D v mod n 
or a relationship of the type 

R T s D y /Gi « . G2 d2 . G m dm . mod n 
the controller ascertains that each reconstructed commitment R f reproduces all or 
20 part of each commitment R that has been transmitted to it. 

case .where the demonstrator has transmitted the totality of each commitment R 
if the demonstrator has transmitted the totality of each commitment R, the controller, 
having the m public values Gi, G2, G^ ascertains that each commitment R 
satisfies a relationship of the type 
25 R s Gi dl . G2 d2 . ^ G m dl " . DV mod n 

or a relationship of the type 

R b D v /Gi d * . G2 d2 . - G m dm . mod n ^ 

ethod according to claim l f designed to provide proof to an entity, 
known as the controller entity, of the integrity of a message M associated with an 
30 entity called a demonstrator entity, said demonstrator entity comprising the witness; 



3 



10/19/2004 14:16 FAX 6123323081 



MERCHANT & GOULD 



0005/047 



i 

49 



said demonstrator and controller entities executing the following steps: 

♦Stepl: act of commitment R 
• at each call, the witness computes each commitment R by applying the process 
specified according to claim 1, 
5 • Step 2: act of challenged 

- the demonstrator applies a hashing function h whose arguments are the message M 
and all or part of each commitment R to compute at least one token T, 

- the demonstrator sends the token T to the controller, 

- the controller, after having received a token T, produces challenges d equal in 
10 number to the number of commitments R and sends the challenges d to the 

demonstrator, ' 
• Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process specified according to claim I, 

15 -Step 4: act of checking 

- the demonstrator sends each response D to the controller, 

- the controller, having the m public values Gi, G2, G m , computes a 
reconstructed commitment R' f from each challenge d and each response D, this 
reconstructed commitment R f satisfying a relationship of the type 

20 R l «G 1 dl-G2 d2 ..MG m dm # Dv mo<In 
or a relationship of the type 

R , sD v /Gidl.G 2 d2.„.G m dm tniodn 

- then the controller applies the hashing function h whose arguments are the message 
M and all or part of each reconstructed commitment R' to reconstruct the token T\ 

25 - then the controller ascertains t hat the token T is identical to the token T 
transmitted. 

ethod according to claim 1, designed to produce the digital signature of 
a message M by an entity known as the signing entity, said signing entity comprising 
the witness; 
30 Signing operation 
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said signing entity executes a signing operation in order to obtain a signed message 
comprising: 

- the message M, 

- the challenges d and/or the commitments R. 
5 - the responses D; 

said signing entity executes the signing operation by implementing the following 
steps: 

♦Stepl: act of commitment R 

- at each call , the witness computes each commitment R by applying the process 
10 specified according to claim 1 , 

•Step 2: act of challenged 

- the signing party applies a hashing function h whose arguments are the message M 
and each commitment R to obtain a binary train, 

- from this binary train , t he signing party extracts challenges d whose number is 
1 5 equal to the number of commitments R, 

♦ Step 3: act of response D 

- the witness computes the responses D from the challenges d by applying the 
process sgecified according to claim L 

_ .(^ Method according to claim 4, designed to prove the authenticity of the 
20 message M by checking the signed message through an entity called a controller; 
Checking operation 

- said controller entity having the signed message executes a checking operation by 
proceeding as follows: 

C • case where the controller has commitments R, challenges d, responses D 
25 |^ if the controller has commitments R, challenges d, responses D, 

- • the controller ascertains that the commitments R, the challenges d and the 
responses D satisfy relationships of the type 

R = Gidl,G 2 ^....C in d m ,DVmodn 
or relationships of the type 
30 RsDv/Gidl.Gjd^.^Gmdm.modn 
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• • the controlle r ascertains that the message M, the challenges d and the 
commitments R satisfy the hashing function: 

d » h (message, R) 

t* case where (he controller has challenges d and responses D 
if the controller has challenges d and responses D, 

• • the controller reconstructs , on the basis of each challenge d and each 
response D, commitments R* satisfying relationships of the type 

R' m Gi dl . G2 d2 - ... G m dm , dv mod n 
or relationships of the type: 
10 R'eDv/G 1 dI,G2 d2 ....G m ( ? m .modu 

• • the controller ascertains that the message M and the challenges d satisfy 
the hashing function: 

d ~ h (message, R*) 

C* case where the controller has commitments R and responses D 
if the controller has commitments R and responses D, 

• • the controller applies t he hashing function and reconstructs d 1 

d 1 = h (message, R) 

• • the controller device ascertains that the commitments R, the challenges d' 
and the responses D satisfy relationships of the type 

20 R^Gid'l^^^Gmd'm^DVmodn 
or relationships of the type: 

R h DV/d d*l . Gi d ' 2 . ... G m *'m . mod ^) 
6» A system designed to prove, to a controller server, 

- the authenticity of an entity and/or 

25 - the integrity of a message M associated with this entity, 

bymeansof: tV e, CMP* b I C 

• m pairs of private values Q„ Q 2 , Qn and public values G u Gi, ... Q,, m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n constituted by the product of said f prime factors p u p 2 , 
30 ... pf, f being greater than or equal to 2, 
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said modulus and said values being linked by relations of the type 
G|« Qi v E 1 . mod n or Gj a Qj v mod a^T) 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G, being the square of the base number gi smaller than the 
f prime factors Pl , Pj , Pf , the base number Bi being such that the following 
conditions are met: 

neither of the two equations: 

^-ftmoda and x 3 5-g;niodn 
can be resolved in x in the ring of integers modulo n 

the equation: 

x v s g* mod n 
can be resolved in x in the ring of the integers modulo n; 

said system comprises a witness device, contained especially in a nomad object 
which, for example, takes the form of a microprocessor-based bank card , 
the witness device comprises 

- a memory zone containing the f prime fectors p, and/or the parameters of the 
Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q, and/or tm components Q Vi (Q u e Q, mod Pi ) of the private values 
Qi and of the public exponent v; 

said witness device also comprises: 

- random value production means, hereinafter called random value production 
means of the witness device, 

- computation mean?, hereinafter called means for the computation of 
commitments R of the witness device, to compute commitments R in the ring of 
integers modulo n; each commitment being computed: 

• either by performing operations of the type: 

Rsr v modn 

where r is a random value produced by the random value production means, r being 
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such that 0<r<n, 

• or by performing operations of the type: 

Ri»r/raod pi 

where r t is a random value associated with the prime number P) such that 0 < r ; < p if 
5 each r 5 belonging to a collection of random values {r, , r 2 , „. r f }, then by applying 
the Chinese remainder method; 
said witness device also comprises: 

- reception mea^T^reinafter called the means for the reception of the 
challenges d of the witness device, to receive one or more challenges d; each 

10 challenge d comprising m integers d, hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device for the compulation, on the basis of each challenge 
d, of a response D, 

• either by performing operations of the type: 

15 Ds r .Q, d, .Q J d3 ._Q n) do ' m odn 
* or by performing operations of the type: 

D, « n . dl . Q u « ... Q^- mod pi 
and then by applying the Chinese remainder method. 

- transmission means to transmit one or more commitments R and one or 
20 more responses D; 
liuera^ there are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R,d,D forming a triplet referenced {R*d,D}, 
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7. (Twice Amended) A system according to claim 6, designed to prove the 
authenticity of an entity called a demonstrator and an entity called a controller, 
said system being such that it comprises: 

- a demonstrator device associated with the demonstrator entity, said demonstrator 
device being interconnected with the witness device by interconnection means Mid 
possibly taking the form especially of logic microcircuits in a nomad object, for example 
the form of a mi croprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device 
especially taking the form of a terminal or remote server, said controller device 
comprising connection means for its electrical, electromagnetic, optical or acoustic 
connection, especially through a data-processing communications network, to the 
demonstrator device; 

said system enabling the execution of the following steps: 

• Stepl: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
Compute each commitment R by applying the method designed to prove to a controller 
entity, 

- the authenticity of an entity a nd/or 

■ the integrity of a message M associated with this entity, 
by means of all or part of the private values Qi, Q 2 , ... Q» and public values G„ G 2 , .„ 
Cm m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus d constituted by the product of f prime factors pi, pj, ..♦ pt, f 
being greater than or equal to 2; 
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said modulus, said exponent and said values being related by relations of the 
following type 

Gi . Qi r s 1 m mod n or Q e Q| v mod n; 
v designating a public exponent such that 

v«2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gi z of a base number & smaller than the f 
prime factors pi, p 2 , ... Pf ; the base number g, being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 - gj mod n and x 2 s - g, mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v a gi 2 mod n 

can be resolved in x in the ring of die integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 

factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 

public modulus n and/or the m private values Qi and/or the f.m components Q u j (Qi, j a 

Qi mod Pj) of the private values Qi and of the public exponent v; 

>r^ or - the witness computes commitments R in the ring of the integers modulo n; each 

\ r - 

O e commitment being computed: 

• either by performing operations of the type: 

Rsr v mod n 

where r is a random value such that 0 < r < n, 

• or 

♦ • by performing operations of the type; 

Rj5f| v mod pj 

where n is a random value associated with the prime number pi such that 0 < n < p ( , each 
n belonging to a collection of random values {r x , r 2 , ... rrf, 

• • then by applying the Chinese remainder method; 
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- the witness receives one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

♦ either by performing operations of the type; 

Dsr.Qi dl . Qz* 2 . ... Q m dm mod n 

• or 

• • by performing operations of the type: 

Di ■ rj . Q u dl . Qu * • Qm» d " rood pi 

* * and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, D forming a triplet referenced {R, 
d,D}, 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmit all or part of each commitment R to 
the demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission 
means of the demonstrator, to transmit all or part of each commitment R to the controller 
device through the connection means; 

•Step 2: act of challenge d 
the controller device comprises challenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d equal in number to the 
number of commitments R, 

the controller device also has transmission means, hereinafter known as the transmission 
means of the controller! to transmit the challenges d to the demonstrator through the 
connection means. 

•Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each challenge d 
coming from the demonstrator device through the interconnection means, 
the means of computation of the responses D of the witness device compute the responses 
D from the challenges d by applying the method designed to prove to a controller entity, 
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- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Q2» ... Q m and public values d, G:, • 
Gm, m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus u constituted by the product of f prime factors pi, P2» ... Pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Q. Qi v b'1 . mod n or Gi s Qi* mod 0; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G| being the square gj 2 of a base number gi smaller than the f 
prime factors pi, pi, ... pr ; the base number g t being such that the following two 
conditions are met: 
neither of the two equations; 

x*sgiiiiodn and x : «-&modn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v e gi Z mod n 

can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qj and/or the Im components Q k j (Q,, j s 
Qi mod pj) of the private values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R b r v mod n 
where r is a random value such that 0 < r < n, 
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•or 

• • by performing operations of the type: 

Risrrmod p; 

where r ( is a random value associated with the prime number pi such that 0 < ri < p iy each 
n belonging to a collection of random values {ri , rj , . r*}, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d< hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, \ > a o 

• either by performing operations of the type: 

D ■ r . Qi d! . Q 2 **. ... Q m dm mod n 

•or 

• • by performing operations of the type: 

Di b r t . Qv dl . Q u «\ ... d " mod p s 

• * and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

• Step 4: act of checking 

the transmission means of the demonstrator transmi t each response D to the controller, 
the controller device also comprises : 

- computation means, hereinafter called the computation means of the controller 

device, 

- comparison means, hereinafter called the comparison means of the controller 

device, 

case where the demonstrator has transmitted a part of each commitment R- 

lf the transmission means of the demonstrator have transmitted a part of each 
commitment R, the computation means of the controller device, having m public values 
Gi, G2, G m , compute a reconstructed, commitment R\ from each challenge d and 
each response D, this reconstructed commitment R' satisfying a relationship of the type 
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R- b Gi dl . G2 62 . G m dm . D v mod n 

or a relationship of the type 

R' = D V /Gj dl . G 2 d2 . ... G m dm . mod n 
the comparison means of the controller device compare each reconstructed commitment 
R v with all or part of each commitment R received, 

case where the demonstrator has transmitted the totality of each commitment R 
if the transmission means of the demonstrator have transmitted the totality of each 
commitment R the computation means and the comparison means of the controller 
device, having m public values Gj, G2, G^ ascertain that each commitment R 
satisfies a relationship of the type 

R 5 Gi dl . G2 d2 . G m dm . D v mod n 
or a relationship of the type 

R - D v /Gx dl . G2 d2 G m dn » . mod 

8. (Twice Amended^S^stem according to claim 6, designed to give proof to an 
entity, known as a controller, of the integrity of a message M associated with an entity 
known as a demonstrator, 
said system being such that it comprises^) 

- a demonstrator device associated with the demonstrator entity, said demonstrator 
device being interconnected with the witness device by interconnection means and 
possibly taking the form especially of lo gic microcircuits in a nomad object, for example 
the form of a microprocessor in a microprocessor-based bank card, 

- a controller device associated with the controller entity, said controller device 
especially taking the form of a terminal or remote server, said controller device 



comprising connection means for its electrical, electromagnetic, optical or acoustic 



con nection, especially through a data-processing communications network, to the 
demonstrator device; 

said system enabling the execution of the following steps: 
• Step 1: act of commitment R 
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at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 

- (he authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Qi, Q m and public values Cu G2, ... 
G m m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, p:, ... Pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

G|. Qi v a 1 , mod n or G] s Q t v mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value Gi being the square gi 2 of a base number gi smaller than the f 
prime factors pi, p& ... Pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 s g| mod n and x 2 e - gj mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v s g 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in t he follo wing steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or^ the 
public modulus n and/or the m private values Qi and/or the f.m components Qi, j (Ol j = 
Qt mod Pj) of the private values Qi and of the public exponent v; 

- the witness c omputes commitments R in the ring of the integers modulo n; each 
commitment being computed: 
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• either by performing operations of the type: 

R = r* mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Rjs n v mod pi 

where r» is a random value associated with the prime number pi such that 0 < r% < pi, each 
r, belonging to a collection of random values {ri , rj , ... rr} 9 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d t hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, tf^^ I ; 

• either by performing operations of the type: 

Dsr.Qi dl .Qa d2 .-Qm dia modn 

•or 

• • by performing operations of the type: 

Di h n . * . Qui ... Qui, dm mod P i 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d,D forming a triplet referenced {R, 
d,Dj, 

where as the witness device has transmission means, hereinafter called transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

• Step 2: act of challenge d 

the demonstrator device c omprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function h whose arguments 
are the message M and all or part of each commitment R to compute at least one token T, 
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the demonstrator device also has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T through the 
connection means to the controller device, 

the controller device also has challenge production means for t he production , after having 
received the token T, of the challenges d in a number equal to the number of 
commitments R, 

the controller device also has transmission means, hereinafter called, the transmission 
means of the controller, to transmit the challenges d to the demonstrator through the 
connection means; 

•Step 3: act of response D 
the means of reception of the challenges d of the witness device receive each challenge d 
coming from the demonstrator device through the interconnection means, 
the means of computation of the responses D of the witness device compute the responses 
D fiom the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qi # <h, ... Q m and public values Gj, d, «. . 
G m m being greater than or equal to 1 1 , or of the parameters derived fiom these values, 

- a public modulus n constituted by the product of f prime factors pi, p:, ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi. Qi v ■ 1 . mod n or Gi a Q| V mod a; 

v designating a public exponent such that 

v=2 k 

where k is a security parameter greater than 1; 

said public value Gt being the square g* of a base number g| smaller than the f 
prime factors p t , pi, ... p f ; the base number © being such that the following two 
conditions are met: 
neither of the two equations : 



n 
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can be resolved in x in the ring of the integers modulo a; 

said metho d implements , in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qj and/or the f.m components Q t| j (Q (r j a 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

* either by performing operations of the type: 



where T\ is a random value associated with the prime number pi such that 0 < ri < pi, each 
n belonging to a collection of random values {rj , n , r f }, 

• * then by applying the Chinese remainder method; 
- the witness receives o ne or more challenges d, each challenge d comprising m 
integers dj hereinafter called elementary challenges; the witness, on the basis of each 



Rsr T mod u 



where r is a random value such that 0 < r < n, 



• or 



by performing operations of the type: 
Ri s i-j v mod p, 



challenge d, computes a response D, 



A 



• either by performing operations of the type: 



dm 



mod n 



•or 



• • by performing operations of the type: 

D ( m n . Q u dl . Qia * ... Q Um dra mod p, 

• • and then by applying the Chinese remainder method; 
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said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d> D forming a triplet referenced (R, 
d,D}, 

• Step 4: act of checking 

the transmission means of the demonstrato r transmit each response D to the controller, 
the controller device also comprise s computation means, hereinafter called the 
computation means of the controller device, having m public values G\ f G2, G m , to 
firstly compute a reconstructed commitment R\ from each challenge d and each response 
D, this reconstructed commitment R' satisfying a relationship of the type 

R' m Gi dl . C2 d2 . ... G m dm . D v mod a 
or a relationship of the type 

R' a DV/d dl . G2 d2 . ... G m dm , mod n 
then, secondly, compute a token T by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R', 
the controller device also has comparison means, hereinafter known as the comparison 
means of the controller device, to compare the computed token V with the received 
token T. 

9. ( Twice Amende^S^stem according to claim 6, designed to produce the digital 
signature of a message M, hereinafter known as the signed message, by an entity called a 
signing entity, 

the signed message comprising: 

* the message M, 

- the challenges d and/or the commitments R> 

- the responses D; 
Signing operation 

said system being such that it comprises a signing device associated with the signing 
entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking the form especially of logic microcircuits in a 
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nomad object, for examp le the form of a microprocessor in a microprocessor-based bank 
card, 

said system enabling the execution of the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 

~ the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qt, Qz» .» Qm and public values d, Gz, ... 
Grm m being greater than or equal to 1 1 , or of the parameters derived from the$e values, 

- a public modulus n constituted by the product of f prime factors pi, p:, ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi. Qi v s 1 , mod n or Gi a QT mod n; 
v designating a public exponent such that 

v = 2 u 

where k is a security parameter greater than 1 ; 

said public value Gt being the square gj 2 of a base number g$ smaller than the f 
prime factors pi, P2» ••- Pr ; the base number gj being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 »gi mod n and x J = - gi mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gi z mod n 

can be resolved in x in the ring ofthe integers modulo n; 

said method implements , in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
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public modulus n and/or the m private values Qi and/or the Lm components Qu j (Qi, j s 
Qi mod Pi) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri s n v mod pi 

where r ( is a random value associated with the prime number pi such that 0 < r ( < pi, each 
r ( belonging to a collection of random values {ri » r2 , ... u), 

• ♦ then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 

integers d; hereinafter called elementary challenges; the witness, on the basis of each 

A 

challenge d, computes a response D, W L- 

• either by performing operations of the type: 

D = r . Qi dl . Qi . Q ra dro mod □ 

•or 

• ♦ by performing operations of the type: 

Dj s r, . Q M dI . Q w * „. Q Um dm mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R i 
d,D}, 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmi t all or part of each commitment R to 
the demonstrator device through the interconnection means, 
■Step 2: act of challenge d 
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the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and extract, 
from this binary train, challenges d whose number is equal to the number of 
commitments R, 

•Step 3: act of response D 
the means for the reception of the challenges d of the witness device receive each 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses O of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the au thenticity of an entity and/or 

- die integrity of a message M associated with this entity, 

by means of all or part of the private values Qi, Qi, ... Qm and public values Gi, G 2 , ... 
Gm, m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, pi, ... pr» f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

G| . Qj v = 1 . mod n or G) b Q| y mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater (ban 1 ; 

said public value G; being the square gi 2 of a base number gj smaller than the f 
prime factors pi, p2, ... pr ; the base number gj being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 « gj mod n and x 2 e - gi mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v s g, 2 mod u 
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can be resolved in x in the ring of the integers modulo a; 

said method implements, in the following steps, an entity called a witness having f prime 
factors p ijmd/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Oi, j (Qi, j ■ 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R s r T mod n 
where r is a random value such that 0 < r < u, 
•or 

• • by performing operations of the type: 

Rj = I*| V mod pi 

where r\ is a random value associated with the prime number pi such that 0 < n < pt, each 
t\ belonging to a collection of random values [r x , t % , rrf, 

• • then by applying the Chinese remainder method; 

- die witness receives one or more challenges d, each challenge d comprising m 
integers d< hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D> htL- 

* either by performing operations of the type: 

Der.Qi dJ . Q 2 Q„ ta mod n 

• * by performing operations of the type: 

Di = n . Qy dl . Q14 Qmo* 1 " mod pi 
• « and then by applying the Chinese remainder method; 
said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d,D forming a triplet referenced {R, 

where as the witness device cor^^transmission means, hereinafter called means of 
transmission of the witness devic e^to transmit the responses D to the signing device 
through the interconnection means. 
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Ifffj^stem according to claim 9, designed to prove the authenticity of the 



message M by checking the signed message by means of an entity called the 
controller, ' " — 



Checking operation 

5 the system being such that it comprises a controller device associated with the 
controller entity, said controller device e specially taking th e form of a terminal or 
remote server, said controller device comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection, especia lly through a date-processing^ 
communications network, to the signing device; 
10 the signing device associated with the signing entity TOmErise^transmission means, 'f 
hereinafter known as the transmission means of the signing device, for the 
transmission, to the controller device, of the signed message through the connection^ 
means, in such a way that the controller device has a signed message comprising: 

- the message M, 

i * - the challenges d and/or the commitments R, 

- the responses D; 

the controller device comprises: 

- computation means hereinafter called the computation means of the 
controller device, 

20 " comparison means, hereinafter called the comparison means of the 

controller devi<^^) 

• case where the controller device has commitments R, challenges d, responses D 
if the controller has commitments R, challenges d, responses D, 

• ♦ the computation and comparison means of the controller device ascertain 
25 that the commitments R, the challenges d and the responses D satisfy relationships of 
the type 

RsGi dl .G 2 d2 .,..G m dm. D v modn 
or relationships of the type: 

R ^ Dv/Gi « . G2 d2 . ... G m dm . mod n 
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• • the computation and comparison means of the controller device ascertain 
that the message M, the challenges d and the commitments R satisfy thehashing 
function: 

d ■ h (message, R) 

5 ) • case where the controller device has challenges d and responses D 
1^ if the controller device has challenges d and responses D» 

• • the compulation means of the controller, on the basis of each challenge d 
and each response D, compute c ommitments R* satisfying relationships of the type 

R , sGidl.G 2 <I2 ....G ra d m.DVmodn 

10 or relationships of the type: 

R' a Dv/d dl . G 2 • ... G ro dm . mod n 

• • the computation and comparison means of the controller device ascertain 
that the message M and the challenges d satisfy the hashing Amotion: """"" 

d = h (message, R') 

15 n case where the controller device has commitments R and responses D 
L if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function 
and compute d* such that ~~ 

d f = h (message, R) 

20 • * the computation and comparison means of the controller device ascertain 



that the commitments R, the challenges d* and the responses D satisfy relationships 
of the type 

R B Gi d '1 . G2 d ' 2 . ~. G m d 'm . Dv mod n 

or relationships of the type: 
25 R S DV/Gi d'l . g 2 d<2 . G m d'm . mod^ 

_ 11 > A terminal device associated with an entity, taking the form especially of 
a nomad object, for example the form of a microprocessor in a microprocessor-based 
bank card, designed to prove to a controller se rver 
- the authenticity of an entity and/or 
30 - the integrity of a message M associated with this entity; 



26 
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by means of : 

- m pairs of private values Q lp Q 3j ... Q m and public values G„ G z , Qa.m 
being greater than or equal to 1, or parameters derived from these values, 

- a public modulus n ronstiluted by the product of said f prime factors p Jf pj t 
«. pr (f being greater than or equal to 2), 
said modulus and said values being related by relations of the type 

G, . Qi v s l . mod n or Gi b Qf mod n . 
v designating a public exponent such that 

v»2 k 

where k is a security parameter greater than 
said public value G, being the square g, 2 of the base number g 8 smaller than the f 
prime factors p M p 2 , ... p ff the base number gi being such that: 
neither of the two equations: 

^ - gi mod n and x l s - & mod n 
15 can be resolved in x in the ring of integers modulo a 
the equation: 

x y s gj 3 mod n 
can be resolved in x in the ring of the integers modulo 
said terminal device comprises a witness device comprising, 
20 - a memory zone containing the f prime factors p a and/or the parameters of the 

Chinese remainders of the prime factors and/or the public modulus n and/or the m 
private values Q ; and/or f,m components Q Ki (Q u m Q % mod p$ of the private values 
Qi and of the public exponent v. 
said witness device also comprises: 

25 - random value production means, hereinafter called random value production 

means of the witness device, 

- computation means, hereinafter called means for the computation of 

commitments R of the witness device , to compute commitments R in the ring of the 

integers modulo n; each commitment being computed: 
30 • either by performing operations of the type: 
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Rsr v modn 

where r Is a random value produced by the random value production means, r being 
such that0<r<n, 

• or by performing operations of the type: 
$ Ri»r 8 v modpi 

where Ti is a random value associated with the prime number p s such that 0 < r t < R, 
each ri belonging to a collection of random values {r t , r 3 , ... r r } produced by the 
random value production means, then by applying the Chinese remainder method; 
said witness device also comprises: 

10 - reception means hereinafter called the means for the reception of the 

challenges d of the witness device , to receive one or more challenges d; each 
challenge d comprising m integers d, hereinafter called elementary challenges; 

- computation means, hereinafter called means for the computation of the 
responses D of the witness device, for the computation, on the basis of each 

1 5 challenge d, of a response D, 

• either by performing operations of the type: 

D = r. Q, dl .Q, •» ... Q^* modn 

• or by performing operations of the type: 

»i 2 *i • Qu dl • Qu Qu*" mod p, 

20 and then by applying the Chinese remainder method, 

• transmission means to transmit one or more commitments R and one or 
more responses D; 

w>k*re: cohere are as many responses D as there are challenges d as there are commitments R, 
each group of numbers R,d,D forming a triplet referenced {R, d, D>. 



#7 
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12- (Twice Amende^A^rminaJ device according to claim 1 1 , designed to prove 
the authenticity of an entity called a demonstrator to an entity called a control^e^ 
s aid terminal device being su ch that it comprises a demonstrator device associated with 
the demonstrator entity, said demonstrator device being interconnected with the witness 
device by interconnection means and being capable especially of taking the form of logic 
microcircuite in a nomad object for example the for m of a microprocessor in a 
microprocessor-based bank card, 

said demonstrator device also comprising connection means for its electrical, 
electromagnetic, optical or acoustic connection , especially through a data-processing 
communications network, to the cont roller device associated with the controller entity, 
said controller device especially taking the form of a terminal or remote server; 
said terminal device enabling the execution of the following steps: 

♦Stepl: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute ea ch commitment R by applying the method designed to prove to a controller 
entity, 

- the authenticity of an entity and/or 

-the integrity of a message M associated with this entity, 
by means of all dr part of the private values Qi, Q 2 , ... Q m and public values d, G2, . . . 
Gb» m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors p Jf p 2 » ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations, of the 
following type 

Gj.Qi v b1 , mod n or Gi = Qi V tnod d; 
v designating a public exponent such that 
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v = 2 k 

where k is a security parameter greater than 1; 

said public value Q being the square g* of a base number gi smaller than the f 
prime factors pi> p 2 , ... pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 h g, mod d and x's-gimodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of (he integers modulo n; 

said method implements , in the following steps, an entity called a witness having f prime 
factors pi and/o r parameters of the Chinese remainders of the prime factors and/o r the 
public modulus n and/or the m private values Qj yd/o r the f.ra components Qj, j (Qi, j a 
Qi mod pj) of the private values Q; and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

Rnr v modn 
where r is a random value such that 0 < r < n p 

• or 

• • by performing operations of the type: 

Ri = r| v mod pi 

where n is a random value associated with the prime number pi such that 0 < n < p h each 
r ( belonging to a collection of random values {n , r 2 , ... r r }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d| hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, £\ 

■ l^U- 

• either by performing operations of the type: 



2P\ 
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D m r . Q , d 1 . Q, ... Q m d » mod n 

•or 

• • by performing operations of the type: 

Di m n . Q M dl . Qi,, * „. Q Km dm mod p, 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

where as the witness device has transmission means, hereinafter called the transmission 
means of the witness device, to transmit all or part of each commitment R to the 
demonstrator device through the interconnection means, 

the demonstrator device also has transmission means, hereinafter called the transmission 
means of the demonstrator, to transmit all or part of each commitment R to the controller 
device, through the connection means; 

• Steps 2 and 3: act of challenge d, act of response D 
the means of reception of the challenges d of the witness device receive each challenge d 
coming from the controller device through the connection means between the controller 
device and the demonstrator device and through the interconnection means between the 
demonstrator device and the witness device, 

the means of computation of the responses D of the witness device compute the responses 
D from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qj, Q 2 , ... Q m and public values G„ G2, ... 
Gnu m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pj, p 2 , ... p r , f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Gi . Qj v b 1 . mod o or Gi e Qi v mod n; 
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v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square %\ of a base number a smaller than the f 
prime factors pj, P2, p f ; the base number & being such that the following two 
conditions are met: 
neither of the two equations; 

x 2 = g; mod n and r 1 s - gj mod n 
can be resolved in x in the ring of integers modulo d 
the equation: 

x v s g] 3 mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implement s, in the following steps, an entity called a witness having f prime 
factors p l and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Q t and/or the Cm components Qi, j (Qi, j b 
Qi mod pj) of the private values Qi and of the public exponent v; 

- the witness c omputes c ommitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: . 

Rsfmodn 
where r is a random value such that 0 < r< n, 
• or 

• • by performing operations of the type; 

Rjsr'mod pi 

where ri is a random value associated with the prime number pi such that 0 < n < pi, each 

n belonging to a collection of random values {fi , , 17} , \ 

• • then by applying the Chinese remainder method; \ 

- the witness receive s one or more challenges d, each challenge d comprising m 
integers di hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, csr ' r '"'^ 
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• either by performing operations of the type: 

Dsr.Q^.Qi", ...Q^modn 

•or 

• • by performing operations of the type: 

Dj s rj ♦ Q^i dl . 41 — dro mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

•Step 4: act of checking 

the transmission means of the demonstrator transmit each response D to the controller 
that carries out the check. ~" 



13. ( Twice Amcndi 




device according to claim 11, designed to give 



proof to an entity, known as a controller, of the integrity of a message M associated with 
an entity known as a demonstrator, 

said terminal device being such that it comprises a demonstrator device associated with 
the demonstrator entity, said demonstrator device being interconnected with the witness 
device by interconnection means and being capable especially of taking the form of logic 
microcircuits in a nomad object, for example the form of a microprocessor m a 
micropr ocessor-based bank card, 

said demonstrator device comprising connection means for its electrical, electromagnetic, 
optical or acoustic connection, esp ecially through a data-processing communications 
network, to the controller device associated with the controller entity, said controller 
device e specially taking the form of a terminal or rem ote server; 
sai d terminal devi ce being used to execute the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 
entity, 
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- the aut henticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Q l9 Q2, ... Q M and public values Gi, G 2) ... 
G m , m being greater than ox equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, P2, ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

G|. Qi T b 1 . mod n or G] s Q| V mod n; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gi 2 of a base number & smaller than the f 
prime factors pi, P2, ... pr ; the base number gj being such that the following two 
conditions are met: 
neither of the two equations: 

a gi mod n and x 2 s - gj mod n 

can be resolved in x in the ring of integers modulo n 
the equation: 

x v & gj 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of (he Chinese remainders of the prime factors and/or the 
public modulus n and/o r the m private values Q\ and/or the f.m components Qj, j (Q if j = 
Q, mod pj) of the private values Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R 3 r v mod d 
where r is a random value such that 0 < r < n, 
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• or 

• • by performing operations of the type: 

Rsr, v modpi 

where r s is a random value associated with the prime number pi such that 0 < n < p lf each 
r, belonging to a collection of random values {n , r 2 , ... rf}, 

• * then by applying the Chinese remainder method; 

- the witness re ceives on e or more challenges d, each challenge d comprising m ' 
integers d| hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by performing operations of the type: 

D = r.Qi d \Q2 <n ....Qm d,a modn 

• or 

• ♦ by performing operations of the type: 

Di = r ( . Qu dI . Q\j * ... Qi, m mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D); 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmit all or part of each commitment R to 
the demonstrator device through the interconnection means, 

• Steps 2 and 3: act of challenge d, act of response D 

the demonstrator device comprises computation means, hereinafter called the 
computation means of the demonstrator, applying a hashing function b whose arguments 
are the message M and all or part of each commitment R to compute at least one token T, 
the demonstrator device als o has transmission means, hereinafter known as the 
transmission means of the demonstrator device, to transmit each token T, through the 
connection means, to the controller device, 

said controller, after having received the token T, produces challenges d equal in number 
to the number of commitments R, 
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the means of reception of the challenges d of the witness device receive each challenge d 
coming from die controller device through the connection means between the controller 
device and die demonstrator device and through the interconnection means between the 
demonstrator device and the witness device, 

the means of computation of the responses D of the witness device compute the responses 
D from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qj, Qj, ... Q ra and public values Gi, G2, . 
Gnu m being greater than or equal to 1 1 , or of the parameters derived from these values, 

* a public modulus n constituted by the product of f prime factors pi, p?, ... pr, f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 

Q * Qi v s 1 . mod n or Gi s Qj T mod u\ 
v designating a public exponent such that 

v = 2 fc 

where k is a security parameter greater than 1 ; 

said public value Gi being the square & 2 of a base number & smaller than the f 
prime factors pi, pz> ... Pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

j^Bgimodn and x 2 s - & mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x'ag^modn 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime \ 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus o and/or the m private values Qi and/or the f.m components Qj ( j (Qi, j = 



13/2004 14:24 FAX 6123329081 MERCHANT & QOULO ©037/047 



Qi mod pj) of the private vahies Qi and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random value such that 0 < r < n, 

• or 

* a by performing operations of the type: 
Ri-r^mod p; 

where n is a random value associated with the prime number p ( such that 0 < ri < p (> each 
n belonging to a collection of random values (n , r 2 , ... r r }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d comprising m 
integers d ( hereinafter called elementary challenges; the witness, on the basis of each 
challenge d* computes a response D, 

■ either by performing operations of the type: 

D s r . Qi 41 . Qi w . . Qm dm mod n 

• or 

• • by performing operations of the type: 

Di s n . Qt,i * . * ... Qj,™ mod p, 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d, D), 

• Step 4: act of checking 

the transmission means of the demonstrator send each response D to the controller device 
which performs the check. 
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14. (Twice Amended) Terminal device according to claim 11, designed to 



produce the digital signature of a message M, hereinafter known as the signed message, 
by an entity called a signing entity; 
the signed message comprising: 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 

said terminal device being such that it comprises a signing device associated with the 
signing entity, said signing device being interconnected with the witness device by 
interconnection means and possibly taking especially the form of logic microcircuits in a 
nomad object, for example the form of a microprocessor in a microprocessor-based bank 
card, 

said demonstrator device comprising connection means for its electrical, electroma gnetic, 
optical or acoustic connection, especially through a data-processing communications 
network, to the controller device associated with the controller entity, said controller 
device especially taking the form of a terminal or remote server; 
Signing operation 

said terminal device being used to execute the following steps: 

• Step 1: act of commitment R 
at each call, the means of computation of the commitments R of the witness device 
compute each commitment R by applying the method designed to prove to a controller 



- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qj, Q2, ... Q m and public values G|, Gj, ... 
Grm m being greater than or equal to 1 1 , or of the parameters derived from these values, 

- a public modulus n constituted by the product of f prime factors pi, P2, ... Pr> f 
being greater than or equal to 2; 

said modulus, said exponent and said values being related by relations of the 
following type 



entity, 
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G| • Qi* = 1 . mod n or Gi a Q| V mod n; 

v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1; 

said public value G| being the square & 2 of a base number gi smaller than the f 
prime factors pi, pj» ... pr ; the base number gi being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 s gj mod d and ^s-gjmodn 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v s gi 2 mod n 
can be resolved in x in the ring of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prune 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n end/or the m private values Qi and/or the f.m components Qi, j (Qi, j = 
Qi mod pj) of the private values Qi and of the public exponent v; 

. the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R^r v modn 
where r is a random value such that O < r < n, 
• or 

• • by performing operations of the type: 

Ri = r\ y mod pi 

where r\ is a random value associated with the prime number pi such that 0 < n < Pu each 
ri belonging to a collection of random values {n , rj , ... rrf, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d» each challenge d comprising m . 
integers d, hereinafter called elementary challenges; the witness, on the basis of each 

i 

J* 
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challenge d, computes a response D, 

• either by performing operations of the type: 

D = r . Qi dl . Qi ^ ... Qn, dm mod o 

• or 

• • by performing operations of the type: 

Di s n . Qu 41 . Qu -I . — Qm* dm mod p, 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

where as the witness device has means of transmission, hereinafter called the 
transmission means of the witness device, to transmit all or part of each commitment R to 
the signing device through the interconnection means, _ - 

• Step 2: act of challenge d 

the signing device comprises computation means, hereinafter called the computation 
means of the signing device, applying a hashing function h whose arguments are the 
message M and all or part of each commitment R to compute a binary train and extract, 
from this binary train, challenges d whose number is equal to the number of 
commitments R, 

• Step 3: act of response D 

the means for the reception of the challenges d of the witness device receive e ach 
challenge d coming from the signing device through the interconnection means, 
the means for computing the responses D of the witness device compute the responses D 
from the challenges d by applying the method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the private values Qu Qz* ... Q m and public values d, G 2 , ... | 
G m , m being greater than or equal to 1 1 , or of the parameters derived from these values, 

• a public modulus n constituted by the product of f prime factors pi, pi, ... Pr, f 
being greater than or equal to 2; 
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said modulus, said exponent and said values being related by relations of the 
following type 

C|. Qi r = 1 . mod n or Gi s Q t v mod u; 
v designating a public exponent such that 

v = 2 k 

where k is a security parameter greater than 1 ; 

said public value Gj being the square gj 2 of a base number gi smaller than the f 
prime factors pi, px> ... Pr ; the base number & being such that the following two 
conditions are met: 
neither of the two equations: 

x 2 gi mod n and x 2 = - g, mod n 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v sgi 2 modn 
can be resolved in x in the zing of the integers modulo n; 

said method implements, in the following steps, an entity called a witness having f prime 
factors pi and/or parameters of the Chinese remainders of the prime factors and/or the 
public modulus n and/or the m private values Qi and/or the f.m components Qi j (Qi, j s 
Qi mod pj) of the private values Qj and of the public exponent v; 

- the witness computes commitments R in the ring of the integers modulo n; each 
commitment being computed: 

• either by performing operations of the type: 

R = r T mod n 
where r is a random value such that 0 < r< n, 
* or 

* * by performing operations of the type: 

Rj s n v mod pi 

where n is a random value associated with the prime number pi such that 0 < n < p;, each 
n belonging to a collection of random values {n , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 
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- the witness receives one or more challenges d, each challenge d comprising m 
integers dj hereinafter called elementary challenges; the witness, on the basis of each 
challenge d, computes a response D, 

• either by performing operations of the type: 

D a r . Q t dl . Qj * . . . Q m ta mod n 

• or 

♦ • by performing operations of the type: 

Di s n . Qm dl . Qw * - Qi» dtt mod pi 

• • and then by applying the Chinese remainder method; 

said method being such that there are as many responses D as there are challenges d as 
there are commitments R, each group of numbers R, d, D forming a triplet referenced {R, 
d,D}, 

where as the witness device c omprises transmission means, hereinafter called means of 
„ — i ^ — 

transmission of the witness device, to transmit the responses D to the signing device, 
through the interconnection means. 

l^^ntroller device especially talcing the form of a terminal or remote 



server associated with a controller entity, designed to check: 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity 
25 by means of: 

- m pairs of public values G u Ga, ... , m being greater than or equal to 1, 

- a public modulus n constituted by the product of said f prime factors Pu Pz> 
p f , f being greater than or equal to 2, unknown to die controller device and to the 

associated controller entity, 
30 said modulus and said values being related by relations of the type 
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G,.Q 4 v sl . modnorGisQi T moda. 
where Q, designates a private value, unknown to the controller device, associated 
with the public value G 4 . 
v designating a public exponent such that 
5 v = 2 h 

where k is a security parameter greater than 1 ; 

said public value G, being the square gi * of a base number & smaller than the f prime 
factors p„ Pl . ... p,, the base number g, being such that the following conditions are 
met: 

i 0 neither of the two equations: 

x* s gj mod n and x 3 ^ - gj mod d 
can be resolved in x in the ring of integers modulo n 
the equation: 

x v a mod n 

15 cante resolved in x in the ring of the integers modulo n. 

16(^ C^ntroller device according to claim 15, designed to prove the 

authenticity of an entity called a demonstrator to an entity called a controller; 

said controller device comprising connection means for its electrica l. 

electromagnetic, optical or acoustic connection, especially through a data-processing 
20 communications network, to a demonstrator device associated with the demonstrator 

entity; 

sid c ontroller device being used to ex ecute the following steps: 

* Steps 1 and 2: act of commitment R, act of challenge d 
said controller device also has means for the reception of all or part of the 
25 commitments R coming from the demonstrator device through the connection means, 
the controller devic e has c hallenge production means for the production, after 
receiving all or part of each commitment R, of the challenges d in a number equal to 
the number of commitments R, each challenge d comprising m integers dj 
hereinafter called elementary challeng^?^ 
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the controller device also has transmission means, hereinafter called transmission 
means of the controlle r, to transmit the challenges d to the demonstrator through the 
connection means; 

• Steps 3 and 4: act of response D, act of checking 
said controller device also comprises; 

- means for the reception of the responses D coming from the demonstrator 
device, through the connection means, 

computation means, hereinafter called the computation means of the 
controller device, 

- comparison meaDj, hereinafter called the comparison means of the 
controller device, 

case where the demonstrator has transmitted a part of each commitment R. 
if the reception means of the demonstrator have received a part of each commitment 
R, the computation means of the controller device, having m public values Gi, G2, 
15 G m , compute a reconstructed commitment R\ from each challenge d and each 

response D, this reconstructed commitment R' satisfying a relationship of the type 

R 1 * Gi <J1 . G2 42 . ... G m dm . D v mo d n 
or a relationship of the type 

R' S Dv/G, <» . G2 « . ... G m dm . mo d n 

20 the comparison means of the controller device compare eac h reconstructed 
commitment R* with all or part of each commitment R rcceivpdr^ 
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case where the demonstrator has transmitted the totality of each 
commitment R 

if the transmission means of the demonstrator have received the totality of each 
commitment R, the computation means and the comparison means of the controller 
device, having m public values Gj, G2, -., G m , ascertain that each commitment R 
satisfies a relationship of the type 

R = Gi *1 . G 2 62 . •» G m dm , 0v mod n 
or a relationship of the type 

R m D v /Gj 61 . G 2 62 . G m dm . mod n 
(f^Controller device according to claim 15, designed to give proof to an entity, 
known as a controller, of the integrity of a message M associated with an entity known as 
a demonstrator, 

said controller device comprising connection means for its electrical, electromagnetic, 



optical or acoustic connection, especially through a data-processing communications 
network, to a demonstrator device associated with the demonstrator entity, 
said syste m enabling the ex ecution of the following steps: 

• Steps 1 and 2: act of commitment R, act of challenge d 

said controller device also has means for the receptio n of tokens T coming from the 
demonstrator device through the connection means, 

the controller device has cha llenge production means fo r the production, after having 
received the token T, of the challenges d in a number equal to the number of 
commitments R, each challenge d comprising m integers dj, herein after called 
elementary challenges, 

the controller device also has transmission means, hereinafter called the transmission 
means of the controller, t o transmit th e challenges d to the demonstrator through the 
connection means; 

• Steps 3 and 4: act of response D, act of checking 
the controller device also comprises: 

- means for the rece ption of the responses D coming from the demonstrator 
device, through the connection means, 
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- computation means, hereinafter called the computation means of the controller 
device, having m public values G]» G2» G m , to firstly compute a reconstructed 
commitment R\ from each challenge d and each response D, this reconstructed 
commitment R v satisfying a relationship of the type 



then, secondly, compute a token T* by applying the hashing function h having as 
arguments the message M and all or part of each reconstructed commitment R\ 
the controller device also comprises: 

- comparison means, hereinafter called the comparison means of the controller 
device, to compare the computed token T with the received token T. 



^ l^O pntroller device according to claim 15, designed to prove the authenticity of 
the message M by checking a signed message by means of an entity called a controller; 
the signed message, sent by a signing device associated with a signing entity having a 
hashing function h (message, R), comprising: < 

- the message M, 

- the challenges d and/or the commitments R, 

- the responses D; 
Checking operation 

said controller device comprising connection means for its electrical, electromag netic, 
optical or acoustic connection, especially through a data-processing communications 
network, to a signing device associated with the signing entity, 

said controller device having received the signed message from the signed device, 
through the connection means, 
the controller device comprises: 

- computation means, hereinafter called the computation means of the controller 

device, 

- comparison means, hereinafter called the comparison means of the controller 

device; 



R* = G 2 dl . G2 d2 . ~. Gm dm - DV mod n 



or a relationship of the type 



R' - DV/d dl . G2 d2 . ... G m dm . mod n 
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r # case where the controller device has commitments R, challenges d, responses D 
if the controller has commitments R, challenges d, responses D, 

• • the computation and comparison means of the controller device ascertain that 
the commitments R, the challenges d and the responses D satisfy relationships of the type 

R « Gi « . G2 . ... Gm dm . D v mod n 
or relationships of the type: 

R = pv/Gj dl . d2 _ Gm dm . mod n 

• • the computation and comparison means of the controller device ascertain that 
the message M, the challenges d and the commitments R satisfy the hashing function 

d - h (message, R) 
) • case where the controller device has challenges d and responses D 
f if the controller device has challenges d and responses D, 

' • • the computation means of the controUex, on the basis of each challenge d and 
each response P, compute c ommitments R' satisfying relationships of the type 

R> *G 1 dl , G2 <*2 . ... G m dm .dv mod n 
or relationships of the type: 

R' - D v /G! dl . G2 d2 . ... Gm dm . mod n 

• • the computation and comparison means of the controller device ascertain that 
the message M and the challenges d satisfy the hashing function: " 

d « h (tnessagei R') 
) • case where the controller device has commitments R and responses D 
/ if the controller device has commitments R and responses D, 

• • the computation means of the controller device apply the hashing function and 
compute d' such that 

d' - h (message, R) 

• • the computation and comparison means of the controller device ascertain that 
the commitments R, the challenges d> and the responses D satisfy relationships"oTthe 
type 

R * Gi d'l . G2 d'2 . ... Gm d'm . D v mod n 

or relationships of the type: 



R-DV /Gl d'l. G2 d'2.„. Gm d'm, mod 



